|Permissions and roles
|Highest level of control
|Lower level of control in which security settings cannot be changed, also devices and groups cannot be changed.
|Settings and devices can only be viewed, not edited
Roles can be given on different levels, essentially making the user admin/manager/viewer of a specific entity (the entire organisation being one of these entities). The entities on which roles can be assigned are:
- Organisation: if a right is given to a user for the entire organisation, the user is granted access to all the groups and devices in the organisation as well as the organisation’s default settings.
- Group: if a right is given to a user for a specific group, the user is granted access to the settings of the group itself as well as all the devices in the group. Devices which are added to the group at a later time can also be accessed.
- Device: if a right is given to a user for a specific device, the user is granted access to the settings of the device itself. The user cannot change the group that the device is in, only its settings.
Multiple permissions for a single user
Permissions are additive, meaning that for example a user can be given access to an entire group and an individual device at the same time. If that user loads the list of all devices, it will contain both the devices in the group and the individual device.
A user may also have different roles for different entities. So it could be that a user is 'Viewer' for the entire organisation but at the same time “Admin” for a specific group of devices. That user will see all devices in the organisation, but will only be able to change the settings of a device if that device is part of the group that the user is 'Admin' of.
As described above, there is a difference between the 'Administrator' and 'Manager' roles. Most notably a 'Manager' cannot change what we depict as a security setting. This is the list of current security settings within Screen Control:
- Secure mode and PIN code
- Central USB storage
- Internal microphones
- DESfire (NFC)
There are additional permissions which are only granted if the user is 'Admin' for the entire organisation or a package admin* within our user management. So for example a user with 'Admin' rights to a group cannot hand out rights to other users for devices in that group. Organisation admins are the only users that can:
- Manager rights
- Delete screens
- Create / delete groups
- Create / delete groups